[Openswan Users] Using x.509 certificates without CA - INVALID_KEY_INFORMATION
elison.niven at gmail.com
elison.niven at gmail.com
Sat May 14 02:23:21 EDT 2011
Hi list,
I am trying to setup IPSEC connections between two machines using
x.509 certificates without using a CA.
On each machine I created the keys and the certificate like this :
# openssl genrsa -des3 -out west.key 1024
# openssl req -new -key west.key -x509 -out west.cert
ipsec.conf on both machines is similar :
conn temp
left=....
right=.....
leftcert=west.cert
rightcert=east.cert
auto=add
The certificates west.cert and east.cert are placed in
/etc/ipsec.d/certs on both machines and each machine has its own
private key at /etc/ipsec.d/private/
ipsec.secrets on both machines is similar (change west to east etc):
: RSA west.key 'passphrase'
The error I am getting on giving ipsec auto --up temp is
INVALID_KEY_INFORMATION.
The openswan wiki quick problem solving guide says :
Problem: INVALID_KEY_INFORMATION
Cause: Openswan did receive a key, but could not establish its
authenticity. With certificates, it might mean that not all CA
certificates in the certificate chain are in /etc/ipsec.d/cacerts.
FIXME(I do not know too much about the other auth methods): with
dnssec, maybe the DNS is unreacheable, or does not contain the
necessary data.
I have not used any CA to sign the certificates. Is this valid with
openswan? I am using 2.6.33 on one machine and 2.6.32 on another. Both
are using the NETKEY stack.
Is it necessary to sign the certificates by a CA? How can I establish
a connection using certificates without a CA?
Best Regards,
Elison
More information about the Users
mailing list